prosody-modules: mod_http_oauth2/mod_http

comparison mod_http_oauth2/mod_http_oauth2.lua @ 5626:a44af1b646f5

mod_http_oauth2: Optionally enforce authentication on revocation endpoint But why do OAuth require this? If a token leaks, why couldn't anyone revoke it?

author	Kim Alvefur <zash@zash.se>
date	Mon, 31 Jul 2023 02:07:58 +0200
parents	81042c2a235a
children	9aace51c3637

comparison

equal deleted inserted replaced

-:e86a1018cdb3
+:a44af1b646f5
 			});
 		};
 	}
 end
+local strict_auth_revoke = module:get_option_boolean("oauth2_require_auth_revoke", false);
 local function handle_revocation_request(event)
 	local request, response = event.request, event.response;
 	response.headers.cache_control = "no-store";
 	response.headers.pragma = "no-cache";
 	if request.headers.authorization then
 		end
 		-- OAuth "client" credentials
 		if not verify_client_secret(credentials.username, credentials.password) then
 			return 401;
 		end
+		-- TODO check that it's their token I guess?
+	elseif strict_auth_revoke then
+		-- Why require auth to revoke a leaked token?
+		response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
+		return 401;
 	end
 	local form_data = strict_formdecode(event.request.body);
 	if not form_data or not form_data.token then
 		response.headers.accept = "application/x-www-form-urlencoded";

Mercurial > prosody-modules

comparison mod_http_oauth2/mod_http_oauth2.lua @ 5626:a44af1b646f5